George Ou wrote:
Permitting only legitimate SMTP
servers via SenderID lookup follows the "least privileges" rule and is a
much more effective ACL. Anyone who blocks all non-SPF compliant messages
blocks all illegitimate SMTP servers using a database (public DNS records)
that they don't need to personally manage. Creating or managing a massive
database of non-SMTP servers is totally impractical.
Port 25 blocking is also a least privileges model. Consumer ISPs block
all outgoing port 25, then punch a few holes in the firewall for their
own mail servers and the few customers that request an exemption.
Sounds quite manageable to me.
What makes you think that it takes "ALL domains" to implement SPF? Just the
top 50 domains in the world alone implementing it would pretty much force
the entire world to comply unless they don't care for their messages to be
delivered to the 50 largest domains. Do you honestly believe you can get
all ISPs and hotspots to manage a much larger non-SMTP server ACL?
I think you just answered your own question. In summary you are saying
that if the large domains require SPF then everyone will be forced to
put SPF records in for any domain that sends email. So you are in fact
saying that yes, everyone will be forced to implement SPF records in
your scheme. I submit that no ISP is willing to risk the loss of
requiring SPF because doing so would lose a vast amount of legitimate
email. In the current environment at best you would be able to get
sites to reject on SPF hard fail, but that wouldn't achieve your goal.
It's a chicken and egg problem that I don't think any ISP in their right
might would go along with.
Your blog says that port 25 blocking is controversial with users. I
submit that it is controversial to a miniscule number of users. On the
other hand, requiring an SPF pass on all incoming email right now would
cause huge amounts of legitimate mail to be blocked. How controversial
do you think that will be? Already we have a number of respected
anti-spammers who are quite opposed to SPF because hard fails are
occasionally false positives. You're gonna have people bouncing off the
walls if you reject soft fail and unknown status and only allow SPF pass
messages.
Implementing port 25 blocking also requires significant work, but the
downside is limited to only a few people. Also the number of consumer
ISPs is much smaller than the number of email domains out there. If you
got the top 50 consumer ISPs to implement port 25 blocking, then nobody
else has to do anything at all and you'll probably be at least 80% of
the way done in terms of number of zombies no longer effective.
A number of large consumer ISPs have already implemented it with only a
few grumbles about it. Consumer ISPs which implement it will see an
immediate reduction of complaints coming into their abuse mailbox, and
only have a handful of users who will need to make a change. That
sounds a heck of a lot more manageable than forcing everyone to
implement SPF records and having tons of legitimate mail rejected until
everyone complies.
--
James Lick -- 黎建溥 -- jlick(_at_)jameslick(_dot_)com -- http://jameslick.com/
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg